Malware Analysis Report

2024-09-09 19:13

Sample ID 240613-xpjhtsscpm
Target 0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7
SHA256 0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7

Threat Level: Known bad

The file 0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7 was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies Installed Components in the registry

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-13 19:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 19:01

Reported

2024-06-13 19:04

Platform

win7-20231129-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe \??\c:\windows\system\explorer.exe
PID 1368 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe \??\c:\windows\system\explorer.exe
PID 1368 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe \??\c:\windows\system\explorer.exe
PID 1368 wrote to memory of 1388 N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe \??\c:\windows\system\explorer.exe
PID 1388 wrote to memory of 2280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1388 wrote to memory of 2280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1388 wrote to memory of 2280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 1388 wrote to memory of 2280 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2280 wrote to memory of 2576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2280 wrote to memory of 2576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2280 wrote to memory of 2576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2280 wrote to memory of 2576 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 2576 wrote to memory of 2728 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2576 wrote to memory of 2728 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2576 wrote to memory of 2728 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2576 wrote to memory of 2728 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 2576 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2788 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 768 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 768 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 768 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 768 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 2576 wrote to memory of 2004 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe

"C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 19:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

N/A

Files

memory/1368-1-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1368-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1368-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1368-2-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1368-4-0x0000000000401000-0x000000000042E000-memory.dmp

\Windows\system\explorer.exe

MD5 e8ef55a7d73237eb54b003383b523153
SHA1 63a2bb92ad43d7dae4d86c859d65a99e04ffa6a6
SHA256 13c689a4ef34a36fc217e2633802a1e292efbeabeb56aab19bad0b7f28ac146f
SHA512 77b6bb30ed9546be3deb07ebafc3255635b37612a2a269610a61514b8a4fdf9ac4e9a760e95714a4006d88db6e9b4a5f01aa77d0380a8960ce0c6e5e3be868fc

memory/1388-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1368-20-0x00000000026E0000-0x0000000002711000-memory.dmp

memory/1368-19-0x00000000026E0000-0x0000000002711000-memory.dmp

memory/1388-17-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\spoolsv.exe

MD5 47a2a14c7072f19162d513a3bbc1e38b
SHA1 a10f363ef20e8768dd0e7bd7b793830074dcf017
SHA256 e8efdc46e1a4e244e6953b27581e4506cd7435a686dd19d71766b450156540db
SHA512 d68282445c6e57653e9a6f770ac23af9df24a33ebcf57f8d6f3fd5c9ff5b08ad99bccaaa240e716476dcd63d3bf9350c19cf882b4e1fa3607057350073c5b2af

memory/2280-36-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1388-35-0x0000000002670000-0x00000000026A1000-memory.dmp

memory/2280-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2280-37-0x0000000072940000-0x0000000072A93000-memory.dmp

\Windows\system\svchost.exe

MD5 57beb2432a42019370dd6f9a55c66319
SHA1 b914592a2343c9a17f0a2c03befa6b51ae190ac2
SHA256 9235050f700be160927d91d6014297fe24526812462402c1fbe9a4f43ef912d4
SHA512 4556cf580c3baa859e3e95f36aa5facb8574f210c93b74da2f48763f7db29a2ef6e811e8a92ee249467f41951e8a9ba6e888fb40271fbf8560b2a804d6c83c5f

memory/2576-55-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2576-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2280-54-0x0000000000530000-0x0000000000561000-memory.dmp

memory/2280-53-0x0000000000530000-0x0000000000561000-memory.dmp

memory/2576-56-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2728-66-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2280-74-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2728-72-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1368-80-0x0000000000401000-0x000000000042E000-memory.dmp

memory/1368-79-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1368-78-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 421428c1e511f275a2ec58a46c909afe
SHA1 2f2f783d6262d3a8580ff5b330518101763068eb
SHA256 c0f6c514dedfdc13ffdfaeb99f95c1dfa667e810002a4539a98de444fb001881
SHA512 5beab3d42ad507203e3b654ce2ec337d248cedb14fdd33bdf1f83847b4677cdd76be4439325c9bad4a3e7d5d68ffd360aa606f7003f0d426856d5e7150b69a62

memory/1388-82-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2576-84-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1388-93-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 19:01

Reported

2024-06-13 19:04

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe" \??\c:\windows\system\svchost.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\system\svchost.exe N/A

Modifies Installed Components in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\svchost.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR" \??\c:\windows\system\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999} \??\c:\windows\system\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\spoolsv.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO" \??\c:\windows\system\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO" \??\c:\windows\system\svchost.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\system\explorer.exe C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe N/A
File opened for modification \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe N/A
File opened for modification \??\c:\windows\system\explorer.exe \??\c:\windows\system\explorer.exe N/A
File opened for modification \??\c:\windows\system\svchost.exe \??\c:\windows\system\svchost.exe N/A
File opened for modification C:\Windows\system\udsys.exe \??\c:\windows\system\explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\system\explorer.exe N/A
N/A N/A \??\c:\windows\system\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe \??\c:\windows\system\explorer.exe
PID 896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe \??\c:\windows\system\explorer.exe
PID 896 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe \??\c:\windows\system\explorer.exe
PID 2920 wrote to memory of 3300 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 3300 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 2920 wrote to memory of 3300 N/A \??\c:\windows\system\explorer.exe \??\c:\windows\system\spoolsv.exe
PID 3300 wrote to memory of 3636 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3300 wrote to memory of 3636 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3300 wrote to memory of 3636 N/A \??\c:\windows\system\spoolsv.exe \??\c:\windows\system\svchost.exe
PID 3636 wrote to memory of 1940 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3636 wrote to memory of 1940 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3636 wrote to memory of 1940 N/A \??\c:\windows\system\svchost.exe \??\c:\windows\system\spoolsv.exe
PID 3636 wrote to memory of 4324 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3636 wrote to memory of 4324 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3636 wrote to memory of 4324 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3636 wrote to memory of 3832 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3636 wrote to memory of 3832 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3636 wrote to memory of 3832 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3636 wrote to memory of 1188 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3636 wrote to memory of 1188 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe
PID 3636 wrote to memory of 1188 N/A \??\c:\windows\system\svchost.exe C:\Windows\SysWOW64\at.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe

"C:\Users\Admin\AppData\Local\Temp\0a1f3f0786bfd47033093a9e23d6b074f4fecff74d7194b41d0720a6850428e7.exe"

\??\c:\windows\system\explorer.exe

c:\windows\system\explorer.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe SE

\??\c:\windows\system\svchost.exe

c:\windows\system\svchost.exe

\??\c:\windows\system\spoolsv.exe

c:\windows\system\spoolsv.exe PR

C:\Windows\SysWOW64\at.exe

at 19:03 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:04 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

C:\Windows\SysWOW64\at.exe

at 19:05 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe

Network

Files

memory/896-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/896-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/896-3-0x0000000000400000-0x0000000000431000-memory.dmp

memory/896-2-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

memory/896-5-0x0000000000401000-0x000000000042E000-memory.dmp

C:\Windows\System\explorer.exe

MD5 388192bda4eceeea204b4bec895f65fa
SHA1 309012d01c1ed9a3af7bb55e0437fd7de81c5fd8
SHA256 0e99042979495b2156a41488aa16043cd41aaae3337e85a7402c8df0a49f70e0
SHA512 95ecede24f3989611554896e21c5ed482dcabb69acff8bd17fcb7a7a4cd3f3f4997097c583ce4ba2f6b0026ddedc6bb9383e4a4e45fbd9e4b8959371955035ae

memory/2920-18-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2920-14-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

memory/2920-13-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\spoolsv.exe

MD5 188b0487e70d7a8409e6cdb058128304
SHA1 df6e824d08c266acdc2dd9a12dbae27c371a84e7
SHA256 a505cf7ef29754413c58f6bf5f05cb00cc3032ce02546de940532fb49fd7598c
SHA512 02aa67f1a7929ab01728db2eb641803cdfe35fa4b19b1330d5ffae2f24910034567dc1556325820ca967f9b865e9056149f596e94813b6081ff9f3187929751b

memory/3300-25-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

memory/3300-28-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\System\svchost.exe

MD5 4715eb5d7caeaefb478246aeee4b73ac
SHA1 a4de1d80552b568cd8ae05160ac35c7d25352886
SHA256 5efc08afa0ac15633dd90f30efedf836435cd56d03d7cae0bf08d21e05c91544
SHA512 b4c58cf2ac51a9509b3dc62136cbcecd42974f45e7ce795daaa8b7c454605a4dedc329f827c5dc15e6a11bbcd5c1f9b74779edf26ee6b427923a7fcd0f6a6f6f

memory/3636-35-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3636-37-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

memory/3636-41-0x0000000000400000-0x0000000000431000-memory.dmp

memory/1940-44-0x0000000074BF0000-0x0000000074D4D000-memory.dmp

memory/1940-52-0x0000000000400000-0x0000000000431000-memory.dmp

memory/896-56-0x0000000000400000-0x0000000000431000-memory.dmp

memory/896-57-0x0000000000401000-0x000000000042E000-memory.dmp

memory/3300-54-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Roaming\mrsys.exe

MD5 3cba66698c8be3b0e1d791c23750827c
SHA1 0b532e4067db4d9c156fc9f991632f1e42f625a0
SHA256 badc6aea64d1ecac390a0c748c641217bf015ee603f7c8e240c25e9a997f5557
SHA512 394e8622141edb16318f1007a73005e8aa86c43a46df2b2baecc4eb647f1f77469c0f56435c7a6b1a3d58aa239a12abb0dab3b4172b8ea21e8eb64cccbba14b9

memory/2920-59-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3636-60-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2920-69-0x0000000000400000-0x0000000000431000-memory.dmp